The Mac Security Blog

Security News

Safari 9.1 Closes Security Hole That May Leak Sensitive Data

Posted on by

Safari Security Update

Apple updated its Safari web browser yesterday to version 9.1, available for OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11 to 10.11.3. Safari 9.1 addresses a list of vulnerabilities, including a cookie storage issue in which a website may be able to obtain potentially sensitive information, according to Apple.

This update also addresses security bugs related to interface spoofing and another issue that allows remote attackers to deny service, among other vulnerabilities. Following is the full list of vulnerabilities patched in Safari 9.1:

  • CVE-2016-1762 : Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2009-2197 : Visiting a malicious website may lead to user interface spoofing. An issue existed where the text of a dialog included page-supplied text. This issue was addressed by no longer including that text.
  • CVE-2016-1771 : Visiting a maliciously crafted webpage may lead to a system denial of service. An insufficient input validation issue existed in the handling of certain files. This was addressed through additional checks during file expansion.
  • CVE-2016-1772 : A website may be able to track sensitive user information. A cookie storage issue existed in the Top Sites page. This issue was addressed through improved state management.
  • CVE-2016-1781 : A website may be able to track sensitive user information. An issue existed in the handling of attachment URLs. This issue was addressed through improved URL handling.
  • CVE-2016-1778, CVE-2016-1783 : Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1782 : A malicious website may be able to access restricted ports on arbitrary servers. A port redirection issue was addressed through additional port validation.
  • CVE-2016-1779 : Visiting a maliciously crafted website may reveal a user’s current location. An issue existed in the parsing of geolocation requests. This was addressed through improved validation of the security origin for geolocation requests.
  • CVE-2016-1784 : Processing maliciously crafted web content may lead to an unexpected Safari crash. A resource exhaustion issue was addressed through improved input validation.
  • CVE-2016-1785 : A malicious website may exfiltrate data cross-origin. A caching issue existed with character encoding. This was addressed through additional request checking.
  • CVE-2016-1786 : Visiting a malicious website may lead to user interface spoofing. Redirect responses may have allowed a malicious website to display an arbitrary URL and read cached contents of the destination origin. This issue was addressed through improved URL display logic.

With just a few clicks, your browser will be patched up and you’ll be ready to browse more safely! So take a moment to update to Apple’s Safari 9.1 and close the security holes in your web browser.

Mac users can install the updated Safari browser by choosing Apple menu > App Store…, or the updates may be obtained from the Mac App Store.